in parts of Europe you can use Revolut, where you can choose whether to enable or disable contactless payments, chip and pin, ATM withdrawals and online payments, depending on what you want to use the card for. You can even keep all of them off and only activate a specific feature for a few minutes when needed.
You can stratch it off, or use a very powerful magnet to erase the strip. When scratching be careful not to damage the NFC antenna which loops around in the card.
It doesn't need a 'very powerful magnet'. In fact I'm surprised how easy it is to make the magnetic strip unreadable. The way I (unintentionally) do it is simply to keep the cards together in the wallet. Their individual magnetic stripes destroy each other. All the cards are unreadable now, except for the newest card. And no, there aren't any other magnetic or electro-whatever device nearby.
Actually, the prudent thing is to actively damage the NFC antenna.
There is not much point in damaging the magnetic stripe but leaving wireless functionality... they are exactly the same thing only wireless works from a greater distance.
That's absolutely not true. Magnetic stripe is just a dumb carrier of information - you can buy a $5 reader off eBay and read every card in the world, it's not protected in any way. Modern NFC cards do not surrender their information to some random reader - they need to receive a valid cryptographic key first to reply with the data - and such key can only be produced by an authorized terminal. A normal NFC reader will not read any data off a contactless card, it's just not possible(yes I am aware that there have been attacks demonstrated, but they were all timing based, with extremely limited use in real world).
Depends on the card. All NFC cards in Sweden are just as dumb as a magnetic stripe cards. I actually believe all cards in Europe are but I could be wrong.
It's there, in plain text, any normal NFC-reader will get you everything (there even are android-apps that does it in the play-store).
In Britain, where people have arguably embraced contactless cards to a greater extent than individuals in other countries, researchers have routinely been able to copy the financial details of some cards, including the 16-digit card number and expiration date, by merely passing their own N.F.C. reader close to a person’s wallet.
There have been numerous other demonstrations of this as well.
> researchers have routinely been able to copy the financial details of some cards
I think this is the key. The implementation of each card may differ leading to inconsistent results.
As a general rule I suggest covering up the CVV or scratching it off if you're sure you have it somewhere safe. An option is to also erase the magnetic strip. It might lead to a less useful card (in cases where only magstrip would work) but definitely a more secure one. And for any NFC card an RFID shield sleeve does wonders.
Yes? And that is a common technique to do it. Hide a small camera behind the counter, make sure quickly hold a customers card in view of it and you are done.
NFC though has the advantage to be read from a distance, easily through a pocket and wallet (if the wallet doesn't have an rfid shield). Surely open up that attack vector isn't helping?
If you are paying attention you can detect someone trying to photograph your card (they shouldn't even be handling it in the first place). But through your pocket? Practically impossible to detect.
edit: The fact that we still print everything needed to make a purchase on the card itself isn't particularly flattering for our species.
>And that is a common technique to do it. Hide a small camera behind the counter, make sure quickly hold a customers card in view of it and you are done.
Nobody actually does this. Name+card#+cvv+expiry just isn’t worth the hassle, easier to get 1000s at a time via phishing or hacking web shops.
Stripe dumps are an entirely different market, with ATM pins increasing the value of a single dump up to 100x.
>If you mean the CVV it isn't required to make a transaction.
that's incorrect. there's a cvv1 on the magstripe that's needed for magstripe transactions, and there's cvv2 that's on the back of the card that's mostly required (depends on merchant policy) for card not present transactions. for EMV transactions, you need a payment terminal because the card will refuse to communicate unless the other side has a valid certificate. even then, the card only returns a signed response, which you can't use elsewhere.
>No? You just said so yourself? "depends on merchant policy" Why would an attacker choose a merchant whose policy denies their use case?
it's not as easy as you think. nearly all merchants require some sort of additional information (cvv, billing address, cardholder name) in addition to card number + expiration date. reason being, for card not present transactions (eg. online), the merchant is liable for fraud (the purchase amount + ~$25 chargeback fee), so they have a strong financial incentive to collect/verify as many pieces of information to reduce their losses. it would be insane to not collect any of those (only requiring card number + expiry date), because the chargebacks will bankrupt you. the reason i said "depends on merchant policy" is because some merchants (iirc amazon) don't collect cvv2 (but they do collect billing address + cardholder name), which I presume is for convenience/conversion rate reasons. I don't actually know of any merchants that only collects card number + expiry date.
But name is the only additional information you need to make a legitimate purchase, and that information isn't a secret (if you, under any circumstance, ask for someones CVV they will tell you to fuck off. Ask for their name is another thing (maybe even present on a name tag or in many cases trivial in a certain context)). It will make it slightly harder to just randomly scan peoples pockets on the subway but still an absolute security nightmare.
>But name is the only additional information you need to make a legitimate purchase
where did you get the impression that there are merchants (worth stealing from) that only accepts card number + expiry + name? the example I gave was with amazon, and they take name AND address. even if you're able to find a merchant with lax security and is worth stealing from, how long can you keep the scam up for? maybe a week or two before the fraud reports start pouring in? then they'll patch up their systems and you're back to square one. you're better off installing skimmers and using the card numbers at any merchant that accepts credit (at least in the US).
>will make it slightly harder to just randomly scan peoples pockets on the subway but still an absolute security nightmare.
considering that you have to be pretty close for NFC to work, whoever is doing it is going to look pretty suspicious as he's bumping into everyone walking endlessly through the train.
>Just disable NFC altogether, no reason not to.
I can think of one: convenience. wave your card in front of the reader vs insert card, wait, type in, wait some more, then taking out your card.
Do amazon really even validate the address to the card owner? I've sent stuff to different locations in different names using the same card.
I've heard poker and gaming sites are popular to extract funds (and simultaneously launder them), don't expect them to have much security no.
> considering that you have to be pretty close for NFC to work, whoever is doing it is going to look pretty suspicious as he's bumping into everyone walking endlessly through the train.
Seriously? Just go during rush hour and you can basically stand still, the victims will practically bump into you for you. I don't expect anyone to attempt sprinting a carriage at a time...
Doubt it, maybe for US residents? When I did my first purchase my address didn't match because I was officially living at my parents but sent the package to my own address.
You make it sound like this is difficult or rare, yet banks have a very lax attitude about this and consequently funds thieves with billions upon billions every year. Somehow it is worth it, relying on the victims to scan their transaction history for errors (talk about convenient!).
NFC payment cards are cryptographic protected. It's not just read it and you have a 1:1 copy. Attacks are possible but only online attacks (this is no offline payment system) and with the right critical timing.
Apparently there do exist some cards that are protected, but all I've seen and all I've got access too are completely passive. They serve the exact same function as the magnetic stripe only from a greater distance.
